Friday, June 20, 2008

Day 1: Starting at the beginning

You’re hired on at a new company placed in charge of securing their online business (websites). You know next to nothing about the technical details of the infrastructure other than they have no existing web/software security program and a significant portion of the organizations revenues are generated through their websites.

What is the very first thing do on day 1?

The idea here is to collect wisdom from the crowd (avoiding multiple choice), see if we can find reoccurring themes, order them accordingly, and then move onto the next step. And please don’t say pour a cup of coffee. :)

Open a Diet Coke! For me it would be developing a network infrastructure. I'm into visio maps to organize my thinking. From the Internet to routers, firewalls, switches, I'd want to be sure the basics were secure first. Patch's second, and securing the Web Traffic with an applications firewall last.

People should be #1 -- the "rest is commentary" as they say. What are the formal roles? What are the teams? Who really gets things done or makes decisions? Is there a program manager somewhere that has the keys to the kingdom and knows everybody. Is there a motivated QA guy that "wants to learn security." Who is that one architect that knows everything (pipe dream) that can whiteboard the app infrastructure that will make threat modeling possible, etc.

1) Pull all of your DNS entries and check them for 80, 443 and all other common web ports. Then dust off nmap and scan the entire production infrastructure for the same, then the development infrastructure (workstations optional), Invintory in your favorite bit bucket storage utility.

The first thing is to figure out priorities. That means you need to meet with as many high level folks as possible in the first few days. It's critical to understand what is the most important data (and therefore applications) and then who is going to be fired if that data is breached.

You can't do everything, so if you are starting something new - at least protect the right stuff.

I hear there is a Pragmatic guide that goes into this kind of stuff. :-)

If you are replacing someone, or maybe even if not, change the passwords, probably most passwords haven't been changed in years, and so various contractors, old IT guys, former girlfriends, etc. have access to change your data, but have been nice enough not to up to this point.

1. Establish where all the hot girls are (usually marketing and accounting)2. Make up reasons for visiting aforementioned departments3. Grow a mysterious, swashbuckling image of yourself with suggestive remarks about a past life of crime, travel, royalty, adventure and car chases4. Hide all your D&D character sheets (even your level 19 fighter who has negative 5 AC... WITHOUT ARMOR Zomg!!!1)5. Get hacked6. Install ScanAlert or get McFeters certified7. Sleep easy

1. Get internal technical team to brief me on the infrastructure2. If there are glaring security holes after the briefing, study possibilities for technology to provide quick wins and immediate security to the infrastructure. Then follow internal processes to have them purchased.3. Shop around for a third party to conduct a security assessment. I'll be initially looking for: - [ ] An External Security Assessment (Infrastructure and Application) - [ ] Source Code ReviewAgain, follow internal procurement procedures to have the third party security team hired on an urgent basis.4. Look at internal technical staff potential (if a dedicated security team does not exist) in order to have some of the stronger team members form a pseudo security team. Meanwhile, identify weaknesses in areas of security and plan to hire people to fill these gaps5. Depending on 4. above, build an Incident Response Team and/or procedures on how to address Business Continuity and what to do in case I am hacked. I would make this very comprehensive and spend the most time on this.

This is probably as much time as I would have on Day 1 realistically speaking and through experience.

From the comments received I'm going to distill each arbitrary "day" down into groupings of ordered tasks (with examples if possible) - then tie them all together in a flow chart of sorts. Should make for an interesting and useful web security program build out by day 5.

A lot of people have said essentially to take an inventory, and I guess I would have to agree. You have to know what you need to secure before you can secure it. Try to talk to the right people to identify all of the web apps and servers in your environment. Then figure out what they do, and how important they are to the business.

As a senior person, I like to think about what I'd set out to do in my first 90 - 365 days well before 8 am on the first day. I have a message (let's do some secure business!), and a basic plan for sure, but beyond that, it's going to take a while to learn what's really wrong and how best to fix it. Some folks might try to get to you early to get their version of events. They may be telling the truth, often they're not. Wait a while to figure that out.

Lastly, if you make a lot of announcements early, you will miss out on one of the most powerful CYA mechanisms - blaming the person before you for unpopular changes, write downs, changing processes or killing them off, changing vendors, or killing wasteful projects. That period can be milked for some time if you play your cards right. ;-)

I think that everybody should take another look at Mike Rothman's and Andrew Van Der Stock's comments as they are critical.

Jumping into an organization with a Gung-ho attitude and vast knowledge of analysis tools is great but you have to remember that people have been there for a while and conducting business. They understand what is going on and why the environment is in its current state.

First thing: sit down with the "People" of the organization. Start with your executive introductions and determine the core objectives of the IT and development departments. What services are they providing and which ones are critical to keep everything running (and everybody getting paid). This goes to Mike's priorities.

After the executives move to your peers in the IT and development departments. During your conversations with them be sure to use terms like "I'm here to help." "Our level of service to the customer is priority." "We know I will be recommending changes, but I am open to suggestion and clarification." "How do I get integrated into your processes and procedures?" "Open communications is essential. Please come to me with any questions, concerns, or recommendations." This is the positive, team player attitude that Andrew brought up.

First impressions are key. You have to present yourself as a team player willing to integrate and work towards making the business more successful through security.

Also, from a personal stand point, you have to realize that you will be working on a moving target as everything is already in place. Changing the direction of a moving target is much harder. Patience and persistence will be essential. Come to the job knowing that change will take some time to accomplish and hard work will probably be required.

I would definitely say do the meet and greet thing for the first day. I completely agree with Andrew that coming in like Gang Busters and starting to change everything just screams "I am an elitist. I know more than you, and always will." Not a very good way to start out with people whose development process you are going to drastically change.

Second, find out what you own - apps, sites, servers, etc both publicly facing and internally facing.

Second day (being preemptive here)

Document what type of data each above system handles and start to find out how critical that data is to the company.

Start setting up some type of data classification system with minimum requirements for protecting each classification level.

1) Resist the urge to dive in and start "fixing" things immediately. Making sudden and/or unpopular moves too quickly can burn political capital that you don't even have yet.

2) Understand the organizational structure, how different business units interact with one another, who is responsible for what. Are there any would-be security champions/detractors that will be influential in gaining buy-in?

3) Schedule high-level meetings with execs to get a handle on business priorities.

4) Start to enumerate the application inventory using the data from previous steps, and rank them by business criticality. Understand the longevity and security maturity of each.

Only at this point is it practical to start prioritizing actions and figuring out how best to accomplish them within budget constraints. Oh... you DO have a budget, right?

I'm inclined to agree with Matt Farnz here on your first day people should be #1. Although I would actually say that beyond just learning peoples roles and capabilities it would also be important to learn the political environment as well.

When you are being brought on to enhance security the chances are that there is something broken or rather not security focused in the most basic processes. This means that some type of change needs to occur. Identifying where that change needs to be made will be easy. Figuring out a way to create that change will be much more difficult.

The real trick to ensuring security is to get other non-security focused teams to create the security posture. It's not something technical that forces a change, it's political. If you learn to leverage the politics to create the proper processes to fix the technical issues you tend to be better off. Put simply, learn how to create a security culture.

On a side note...if you should completely disagree with me and agree more with Mark's post. Before you dive into scanning everything consider finding an old HP printer and using the -sI switch in nMap to idle scan off of the printer. You'll probably have a job for a day or two longer haha :-D

I'm noticing a lot of comments about meeting with people in the various organizational groups, especially upper management, to develop "business objectives" or "priorities". Could you please list some as examples?

The list doesn't need to be exhaustive, but enough of the more common objectives/priorities so they can be placed in a mind map.

First you have to understand the web application and exactly what it does. What systems does it connect to on the back end and what inter-dependencies do they have with other systems. Once you know that you can then meet with the business units to understand how they use the data and look at what protections are currently in place. You also need to have an understanding of where do they want to go with their web presence. What plans do they have to expand or add functionality.

I'll toss my agreement with several others who have stated that your first priority is building relationships with the executives whose people are going to have to make all the changes you are likely to be pushing for in the near future.

But, even before doing that, I think it is vital that as the new security dude or dudette, we have to ensure we have the backing and support of the highest levels of management. If the CEO, CIO, etc. level folks are not behind you, you are going to have a hard time getting others to buy in. Hopefully this was taken care of during the hiring process.

There are some rather lofty ideas of what to do on the first day but my first choice would be - check that the basics are in place.

Are the PCs using passwords, is there anti-virus in place, is there a process to keep it up-to-date. Is there a patching program. Check your own PC and those of the people around you for what software is installed, how up-to-date it is. Is there a firewall? Is it effective?

Once that is done.. then move on to the other things such as interacting with business, risk assessments et al.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!